The Lego Marketplace Hack: How Researchers discovered XSS and SSRF Vulnerabilities

Did you know that researchers recently uncovered some serious vulnerabilities in a popular Lego online marketplace? These vulnerabilities, known as cross-site scripting (XSS) and server-side request forgery (SSRF), could have allowed hackers to take over user accounts, access sensitive data stored on the platform, and even gain access to internal production data to compromise corporate services. But don't worry, there are steps that organizations can take to fix these vulnerabilities and keep the platform safe. In this article, we'll delve into the specifics of XSS and SSRF and explore how companies can protect themselves from these types of attacks. So if you're a fan of Lego (or just want to keep your online data secure), keep reading!

Background

The beloved toy company Lego has an online marketplace for buying and selling their products. It's called BrickLink, and it's a digital platform used by millions of Lego fans around the world. But recently, researchers from Salt Labs (the research arm of Salt Security) uncovered some worrying vulnerabilities in the BrickLink platform. These vulnerabilities could have allowed hackers to gain unauthorized access to the platform or steal sensitive information of users. 

Vulnerability breakdown

Researchers identified two vulnerabilities in the BrickLink digital resale platform by analyzing areas of the site that accept user input. 

1. Researchers discovered  cross-site scripting (XSS)  XSS vulnerability in the "Find Username" dialogue box of the coupon search feature on BrickLink. This vulnerability allowed them to inject and execute malicious code on a victim user's browser through a specially crafted link. But that's not all - the researchers also found an exposed Session ID on a different page, which they were able to combine with the XSS vulnerability to hijack the user's session and gain control of their account. This type of account takeover could have allowed attackers to steal sensitive user data or take complete control of user accounts.

2. Researchers also  discovered a vulnerability on the platform's "Upload to Wanted List" page, which allows users to upload lists of desired Lego parts and sets in XML format. By using this feature, the researchers were able to successfully execute an XML External Entity (XXE) injection attack. This type of attack occurs when a vulnerable XML parser processes an XML input containing a reference to an external entity. By leveraging the XXE injection, the researchers were able to read files on the web server and launch a server-side request forgery (SSRF) attack. This SSRF attack could potentially be used to steal AWS EC2 tokens from the server, which could have  been a serious security concern for the BrickLink platform. 

Thankfully, the Lego Group has fixed these vulnerabilities and keeping their platform safe for all users.

How to prevent such API vulnerabilities:

Are you worried about API vulnerabilities like XSS and SSRF on your website or application? Don't worry, there are steps you can take to protect yourself and your users! Here are a few tips for preventing these types of vulnerabilities:‍

1. ‍Properly validate and sanitize user input: This can help to ensure that your site or application is not vulnerable to malicious code being injected by attackers. You can do this using techniques like input filtering, input validation, and output encoding.‍

2. Disable external entity processing in your XML parser: By default, XML parsers are configured to process external entities, which can make them vulnerable to XXE injection attacks. To prevent this, you can disable external entity processing by setting the "disallow-doctype-decl" or "no-external-general-entities" options in your parser.‍

3. Whitelist Domains in DNS: Whitelisting any domain or address that your application queries is the best approach to prevent SSRF.‍

4. Restrict request protocols: Requests to servers are typically made over HTTPS, but occasionally HTTP as well. Therefore, block requests with ftp:/ and gopher:/ because we are aware that only these protocols are in use. Blocking file:/ will also stop attackers from retrieving files‍

5. Set the "HttpOnly" flag on your cookies: This security feature prevents cookies (like session IDs) from being stolen by attackers. When the HttpOnly flag is set, cookies cannot be accessed by client-side scripts like JavaScript.‍

6. Implement a content security policy (CSP): A CSP defines which content sources can be loaded on your site or application, which can help to prevent the execution of malicious code that an attacker might try to inject.‍

7. Use API security tools like Akto: These tools can help you test your APIs for vulnerabilities like XSS and SSRF, so you can fix any issues before they become a problem.

By following these tips, you can help to keep your site or application safe from API vulnerabilities like XSS and SSRF.

Lessons:

All large businesses have massively increased their usage of APIs to build applications. As a result, APIs have become one of the most common attack vectors for hackers looking to gain access to user data. Just look at the recent data breach at Australian telco Optus - over 9.8 million customer records were exposed, including names, addresses, birth dates, and even government-issued identification numbers. This is just one example of the many API security risks and vulnerabilities that businesses need to be aware of. In fact, according to HackerOne, last year (2022) hackers spent a staggering 45% of their time attacking APIs. That's a lot of potential attacks to worry about! We did a detailed analysis in the blog here. To learn more about API security and stay up to date on the latest incidents around the world, be sure to keep an eye on this space.

Reference:

Computer weekly: Lego hack